ClawHub

Pr Triage

v1.0.0

Triage open PRs by detecting duplicates, assessing quality, and generating prioritized reports. Use when a repo has too many PRs to review manually, needs du...

0· 591·0 current·0 all-time
by@zerone0x

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zerone0x/pr-triage.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pr Triage" (zerone0x/pr-triage) from ClawHub.
Skill page: https://clawhub.ai/zerone0x/pr-triage
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pr-triage

ClawHub CLI

Package manager switcher

npx clawhub@latest install pr-triage
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, and script all aim to triage PRs via the GitHub CLI (gh). However, the registry metadata declares no required binaries or credentials even though the agent and included script clearly depend on the gh CLI and on GitHub authentication. This mismatch is unexpected and should be clarified.
!
Instruction Scope
Instructions and the script run gh CLI commands to list PRs and (optionally) comment/edit PRs. They also instruct ALWAYS to run gh commands with env -u GH_TOKEN -u GITHUB_TOKEN (and the script does the same). That pattern is unusual: it explicitly unsets common GitHub token env vars which may cause gh to fall back to other auth methods (e.g., interactive or stored gh auth) or to fail. The skill will perform write actions if invoked with an --action flag, which is allowed by the script; the SKILL.md says it won't comment without --action, but the ability to perform comments/edits is present and requires GitHub credentials that are not declared.
Install Mechanism
No install spec (instruction-only with an included script). Nothing is downloaded from arbitrary URLs and no third-party packages are installed by the skill itself. Risk from install mechanism is low.
!
Credentials
The skill declares no required environment variables, but both SKILL.md and the script manipulate GH_TOKEN and GITHUB_TOKEN by unsetting them before invoking gh. The skill implicitly requires the gh CLI and some form of GitHub authentication (either env token or gh's stored auth). Not declaring these makes the credential requirements and behaviors unclear. The unset pattern could cause the skill to use host-stored credentials unexpectedly when taking write actions.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not attempt to persist credentials. Autonomous invocation is enabled but that's the platform default; combined with the ability to perform PR comments/edits this increases blast radius only if the user allows --action or the agent is invoked autonomously to perform actions.
What to consider before installing
This skill appears to do PR triage using the GitHub CLI, but the package metadata omits gh as a required binary and declares no credentials. Before installing or running it: 1) Verify you have the gh CLI installed and test gh auth behavior on the host (how does gh authenticate if GH_TOKEN/GITHUB_TOKEN are unset?). 2) Review and run the included scripts in read-only mode (no --action) first to confirm they only read PR metadata. 3) Be cautious about providing or relying on host-stored gh auth: if you run with --action the script can comment or edit PRs using whatever gh credentials are available. 4) Prefer running the tool with a dedicated machine/service account or in a sandboxed environment, and request the maintainer to update the registry metadata to declare the gh dependency and clearly document expected auth behavior (explain why GH_TOKEN/GITHUB_TOKEN are unset).

Like a lobster shell, security has layers — review code before you run it.

latestvk97emhppz68h56ctydvep7bkes818yyj
591downloads
0stars
1versions
Updated 2mo ago
v1.0.0
MIT-0
@zerone0x
latest
Download

PR Triage

You are a PR triage agent. Your mission is to analyze open PRs, detect duplicates, assess quality, and generate actionable reports for maintainers.

Input

Arguments: $ARGUMENTS

Supported flags:

  • --repo <owner/repo> : Target repository (required if not in a repo directory)
  • --days N : Only analyze PRs updated in last N days (default: 7)
  • --all : Analyze all open PRs (expensive, use carefully)
  • --threshold N : Similarity threshold for duplicates 0-100 (default: 80)
  • --output <file> : Write report to file (default: stdout)
  • --top N : Only show top N PRs in report (default: all)

Critical: GitHub CLI Authentication

ALWAYS use this pattern for ALL gh commands:

env -u GH_TOKEN -u GITHUB_TOKEN gh <command>

Workflow

Phase 1: Fetch PRs

# Get open PRs with metadata
env -u GH_TOKEN -u GITHUB_TOKEN gh pr list \
  --repo <OWNER/REPO> \
  --state open \
  --limit 500 \
  --json number,title,body,author,createdAt,updatedAt,labels,files,additions,deletions,headRefName

# If --days specified, filter by updatedAt

Data collected per PR:

  • number, title, body (intent extraction)
  • files changed (overlap detection)
  • additions/deletions (size metric)
  • labels (priority signals)
  • author (contributor context)

Phase 2: Extract Intent

For each PR, extract a normalized "intent" for comparison:

def extract_intent(pr):
    """Extract searchable intent from PR"""
    return {
        "number": pr["number"],
        "title": pr["title"],
        "files": [f["path"] for f in pr["files"]],
        "keywords": extract_keywords(pr["title"] + " " + pr["body"]),
        "issue_refs": extract_issue_refs(pr["body"]),  # Fixes #123, etc.
    }

Keyword extraction targets:

  • Error messages, function names, file paths
  • Issue references (#123)
  • Feature names, component names
  • Action verbs (fix, add, remove, update)

Phase 3: Detect Duplicates

Use multiple signals to find duplicate PRs:

3.1 File Overlap

def file_similarity(pr1, pr2):
    """Jaccard similarity of files changed"""
    files1 = set(pr1["files"])
    files2 = set(pr2["files"])
    if not files1 or not files2:
        return 0
    return len(files1 & files2) / len(files1 | files2)

3.2 Title/Keyword Similarity

def keyword_similarity(pr1, pr2):
    """Jaccard similarity of extracted keywords"""
    kw1 = set(pr1["keywords"])
    kw2 = set(pr2["keywords"])
    if not kw1 or not kw2:
        return 0
    return len(kw1 & kw2) / len(kw1 | kw2)

3.3 Same Issue Reference

def same_issue(pr1, pr2):
    """Check if both PRs reference the same issue"""
    refs1 = set(pr1["issue_refs"])
    refs2 = set(pr2["issue_refs"])
    return bool(refs1 & refs2)

3.4 Combined Similarity Score

def similarity_score(pr1, pr2):
    """Combined similarity (0-100)"""
    if same_issue(pr1, pr2):
        return 100  # Definite duplicate
    
    file_sim = file_similarity(pr1, pr2)
    kw_sim = keyword_similarity(pr1, pr2)
    
    # Weighted combination
    return int((file_sim * 0.6 + kw_sim * 0.4) * 100)

Phase 4: Quality Assessment

Score each PR on quality signals:

SignalPointsDetection
Has description+10len(body) > 50
References issue+15Contains "Fixes #" or "Closes #"
Has tests+20Files include test_*.py, *.test.ts, etc.
Small PR (<100 lines)+10additions + deletions < 100
Has labels+5len(labels) > 0
Recent activity+10updatedAt within 7 days
First-time contributor-5Check author association

Quality grades:

  • A: 60+ points
  • B: 40-59 points
  • C: 20-39 points
  • D: <20 points

Phase 5: Generate Report

Output a Markdown report:

# PR Triage Report

**Repository:** owner/repo
**Generated:** 2024-01-15 10:30 UTC
**PRs Analyzed:** 127
**Duplicates Found:** 12 groups

## 🔴 Duplicate Groups (Action Required)

### Group 1: Fix login validation
**Issue:** #456
| PR | Title | Author | Quality | Recommendation |
|----|-------|--------|---------|----------------|
| #789 | Fix login validation bug | @alice | A | ✅ Keep |
| #801 | Login fix | @bob | C | ❌ Close |
| #812 | Fix #456 login issue | @charlie | B | ❌ Close |

**Recommendation:** Keep #789 (most complete, has tests)

### Group 2: Update dependencies
...

## 📊 Quality Summary

| Grade | Count | PRs |
|-------|-------|-----|
| A | 15 | #123, #456, ... |
| B | 42 | ... |
| C | 58 | ... |
| D | 12 | ... |

## ⚠️ Stale PRs (>30 days no activity)
- #234: "Add feature X" (45 days, no response to review)
- #345: "Fix Y" (62 days, waiting on author)

## 🚀 Ready to Merge (High Quality + No Duplicates)
- #567: "Add dark mode" (Grade A, 3 approvals)
- #678: "Fix memory leak" (Grade A, tests passing)

Phase 6: Optional Actions

If requested with --action flag:

Comment on Duplicates

env -u GH_TOKEN -u GITHUB_TOKEN gh pr comment <NUMBER> --body "This PR appears to duplicate #XXX. Please coordinate with the other author or close if redundant."

Add Labels

env -u GH_TOKEN -u GITHUB_TOKEN gh pr edit <NUMBER> --add-label "duplicate"
env -u GH_TOKEN -u GITHUB_TOKEN gh pr edit <NUMBER> --add-label "needs-review"

Boundaries

Will:

  • Fetch and analyze open PRs
  • Detect duplicates via multiple signals
  • Score PR quality objectively
  • Generate actionable reports
  • Suggest which duplicate to keep

Will NOT:

  • ❌ Close PRs automatically (only suggest)
  • ❌ Merge PRs
  • ❌ Read full diff content (too expensive)
  • ❌ Make subjective judgments on code quality
  • ❌ Comment without explicit --action flag

Token Optimization

Expensive operations (use sparingly):

  • Reading full PR diffs
  • Fetching all comments
  • Analyzing >100 PRs at once

Cheap operations (use freely):

  • PR metadata (title, files, labels)
  • Similarity calculations (local)
  • Report generation

Recommended workflow:

  1. First run: --days 7 to triage recent PRs
  2. Weekly: --days 30 for broader sweep
  3. Rarely: --all for full audit (warn about cost)

Examples

Basic Usage

/pr-triage --repo opencode/opencode --days 7

Analyzes PRs updated in last 7 days, outputs report.

Full Audit

/pr-triage --repo anthropics/claude --all --output report.md

Analyzes all open PRs, writes report to file.

High Threshold

/pr-triage --repo microsoft/vscode --threshold 90

Only flags very obvious duplicates.

Top PRs Only

/pr-triage --repo facebook/react --days 30 --top 20

Shows only top 20 PRs by quality score.

Comments

Loading comments...